First of all, if you don’t have WordFence plugin installed, install that firewall plugin immediately.
Second: make SURE that your administrative user name HAS NOTHING WHATSOEVER to do with your website content.
Third, if WordFence is new for you, go down the list, 1 by 1, and secure your site.
Fourth: run scans regularly on your site to monitor for outdated plugins, changed/edited files, etc. Also check the section titled “failed Login attempts” …and blacklist any usernames that are being used to attempt to login on to your WordPress dashboard. A common one being used by bots currently on ALL/EVERY SITE I MANAGE right now, is “test” …make sure you blacklist that one, along with “admin” and also the name of your site (e.g. commonly used on my site is the username everythingit which is NOT a user. Monitor users if you have login enabled on your site. There is so much more. I realize I haven’t been monitoring as closely as I used to, because I guess I got tired of it, but I definitely see after looking today, that activity has DEFINITELY picked up! So keep an eye out on your site.
Stay Safe. 🙂